This document introduces different types of fuzzing techniques. It discusses generational fuzzing which generates completely random inputs and is good for detecting parser errors but difficult to generate meaningful inputs. Mutational fuzzing generates inputs by adding random mutations to seed inputs, which can produce more interesting inputs. Coverage-based mutational fuzzing, also called greybox fuzzing, uses code coverage to leverage interesting inputs. Grammar-based fuzzing generates inputs based on grammars defined in formats like BNF to create more structured inputs. Greybox grammar fuzzing combines grammar-based seed generation with mutation and coverage-based selection. Overall, coverage-based techniques are very effective for testing mature applications, while grammars can improve input variety.

1. Introduction to Fuzzing
Hieu Nguyen

2. What is fuzzing?

4. What can be random?
- parameters
- time
- database state
- machine state
- crash
- ...

5. What can be random?
- parameters
- time
- database state
- machine state
- crash
- ...

6. Fuzzing type
- Generational
- Mutational

7. Random Generational Fuzzing
- Completely random
- Generate from scratch

8. Random Generational Fuzzing
- Good for detecting parser error
- Hard to get meaningful input

9. Random Generational Fuzzing
- Good for detecting parser error
- Hard to get meaningful input
- Notable application: detect invalid memory access in
C/C++ program (heartbleed)

10. Mutational Fuzzing
- Generate input by adding random mutation to seed
- Mutation type:
- Add bytes
- Delete bytes
- Flip bytes
- ...

11. Mutational fuzzing
- Can generate more interesting input
- But...

12. Coverage-based Mutational Fuzzing
- Also called Greybox Fuzzing
- Use coverage to find and leverage interesting input

13. AFL (American Fuzzy Lop)

14. AFL (American Fuzzy Lop)

15. Compare different fuzzing strategies

16. Coverage-based Mutational Fuzzing
- Very effective
- Need a bit of tuning depending on application

17. Grammar Generational Fuzzing
- Generate random input based on grammar
- Usually use BNF (Backus–Naur form)

18. Grammar Generational Fuzzing
- Create more structured input
- Hard to simulate invalid input

19. Greybox Grammar Fuzzing
- Generate seed based on Grammar
- Mutate input
- Leverage interesting input based on coverage

20. Greybox Grammar Fuzzing
- Generate seed based on Grammar
- Mutate input
- Leverage interesting input based on coverage

21. LangFuzz
- Grammar Greybox Fuzzer
- Use for testing browser JS interpreters
- Found more than 2000 bugs!

22. Compare different fuzzing strategies

23. That’s not all...
- Add power to seed to leverage stronger seed
- Extend Grammar with EBNF and probability
- Mining seed from external source
- Use structured mutation
- Semantical fuzzing

24. Cons
- Huge learning curve
- Suitable only for mature application
- Slow and computational heavy

25. Summary
- Fuzzing is testing with random input
- Use coverage stat to increase fuzzing accuracy
- Use grammar to improve seed variety
- Effective to test critical & mature part of the system

26. References
- https://www.fuzzingbook.org
- https://www.cs.dartmouth.edu/~mckeeman/reference
s/DifferentialTestingForSoftware.pdf

27. Thank you
for listening